You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by ka...@accenture.com on 2013/11/28 07:15:27 UTC
Patch information required
Hi All,
We are using Apache tomcat version 6.0.26 and we need to install below patches on our servers to fix some Vulnerabilities.
http://svn.apache.org/viewvc?view=revision&revision=958911
http://svn.apache.org/viewvc?view=revision&revision=958977
http://svn.apache.org/viewvc?view=revision&revision=959428
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03298151
http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2012-05-584&actionBtn=Search
I am not sure how to install these patches can anyone help us here.
Regards
Kanishk Sethi
________________________________
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. .
______________________________________________________________________________________
www.accenture.com
Re: Patch information required
Posted by Mark Thomas <ma...@apache.org>.
On 28/11/2013 06:36, Ben Stringer wrote:
> On Thu, November 28, 2013 5:15 pm, kanishk.sethi@accenture.com wrote:
>> Hi All,
>>
>
> Hi Kanishhk,
>
>> We are using Apache tomcat version 6.0.26 and we need to install below
>> patches on our servers to fix some Vulnerabilities.
>>
>> http://svn.apache.org/viewvc?view=revision&revision=958911
>> http://svn.apache.org/viewvc?view=revision&revision=958977
>> http://svn.apache.org/viewvc?view=revision&revision=959428
>> http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03298151
>> http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2012-05-584&actionBtn=Search
>
> Is the Apache tomcat instance you are using bundled with the applications
> above (from HP, Juniper)? If so, you should get an updated release from
> those vendors, as they should have bundled a higher version of Tomcat that
> resolves the issues.
+1. Both the HP page and the Juniper page provide details of how to
obtain an updated version of their respective products that includes the
fixes.
If you really want to do this by hand (not recommended) then the
starting point is downloading the 6.0.26 src distribution or checking
out the 6.0.26 tag and building from source.
> You can cross-check your list of CVE vulnerabilities against Tomcat
> versions at this page:
>
> http://tomcat.apache.org/security.html
>
> Looks like 6.0.37 is the latest version of Tomcat 6.
It is. And there are quite a few vulnerabilities fixed since 6.0.26.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Patch information required
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Ben,
On 11/28/13, 2:49 AM, Ben Stringer wrote:
>> On 28 Nov 2013, at 6:14 pm, <pr...@accenture.com> wrote:
>>
>> Hi Ben,
>>
>> Thanks for your comment.
>>
>> We are using tomcat bundle which comes with JasperReports Server
>> (v5.1.0).
>
> Can you upgrade to 5.5? This uses Tomcat 7. Likely to have many of
> your patches covered.
>
> Upgrading a bundled Tomcat would require you taking on some testing
> effort, and may affect your product support from the vendor. Safer
> to follow the vendors upgrade path.
JasperReports Server is not significantly tied to the version of
Tomcat on which it is bundled. I recently set up a JRS server by
downloading their "WAR installer" and just installed it myself onto
whatever version I wanted (Tomcat 7 at the time).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJSmR7tAAoJEBzwKT+lPKRYTUAP/3cBAB24MPjdbEHNmHdiE9Tp
7/waSHo4hjWFAc0o5M0od7rdm4P9As2avZfVqMTnk6jVlfTvC9y/NQ1Ojm4/aw9h
g/dinfXgte6DIEDIusbKI5Hb7O75vYT+yFrCfEBg2W9ggKEUH9ScmXR/2piVkHKX
KdaX0kclqfX1xrmFw6FDljcqkC+s1Hoq5V9fFLHOtTLVdKhgcQMbHvmltFIs4VCJ
sAZs1ZndORUqNXlbc3C1/xM2Tlsc/WvqzMsHLP6cqZhfEGJNoZX0NbAuNSXWi8IA
du2n1HcpadcEYlk0SnskmK7w+m+2zJVvaIj1HDLzXaaiJSpo9gK/TJdN5OgYhEdV
zWpOT17n6ixP9+o/FxOWG/zCYWM0hOrxYLltps5XLfYjaIL9rBWASzxXn7GezZpo
L/qkgH4ut55FXrbl1iBIihU9i7DLT6AEIo8+BDtpLoAUyG7NFXO1IY1hfuIIhRtU
S52tUgfAQhFX0mKlLNCRJaSD0izVxWdQQNikVFqPBvRjnHpSsAlVuIdpXII+WP7h
2CrtVBWOAmLG2DhBpevlpQOIT4u5lXfTfrfvS1heARfB/JFg68u+XCtKkzXEoQgg
d19uzH/2SWSzBgcL93ne3kIqXBwFUesZEfSRlyZeSzlKRYttYrKXjI3DtQ54X65S
QpaKqYU1xPu+6jNh7hfQ
=jQVS
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Patch information required
Posted by Ben Stringer <be...@burbong.com>.
> On 28 Nov 2013, at 6:14 pm, <pr...@accenture.com> wrote:
>
> Hi Ben,
>
> Thanks for your comment.
>
> We are using tomcat bundle which comes with JasperReports Server (v5.1.0).
Can you upgrade to 5.5? This uses Tomcat 7. Likely to have many of your patches covered.
Upgrading a bundled Tomcat would require you taking on some testing effort, and may affect your product support from the vendor. Safer to follow the vendors upgrade path.
Cheers, Ben
>
> Can you provide any alternative way to install the below mentioned patches without upgrading it to the latest version.
>
> We are not sure that upgrading to the latest version will affect our application server or not.
>
> Thanks,
> Pravin Pawar
>
> -----Original Message-----
> From: Ben Stringer [mailto:ben@burbong.com]
> Sent: Thursday, November 28, 2013 12:06 PM
> To: Tomcat Users List
> Cc: Pawar, Pravin
> Subject: Re: Patch information required
>
>> On Thu, November 28, 2013 5:15 pm, kanishk.sethi@accenture.com wrote:
>> Hi All,
>
> Hi Kanishhk,
>
>> We are using Apache tomcat version 6.0.26 and we need to install below
>> patches on our servers to fix some Vulnerabilities.
>>
>> http://svn.apache.org/viewvc?view=revision&revision=958911
>> http://svn.apache.org/viewvc?view=revision&revision=958977
>> http://svn.apache.org/viewvc?view=revision&revision=959428
>> http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID
>> =c03298151
>> http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2012-05
>> -584&actionBtn=Search
>
> Is the Apache tomcat instance you are using bundled with the applications above (from HP, Juniper)? If so, you should get an updated release from those vendors, as they should have bundled a higher version of Tomcat that resolves the issues.
>
> You can cross-check your list of CVE vulnerabilities against Tomcat versions at this page:
>
> http://tomcat.apache.org/security.html
>
> Looks like 6.0.37 is the latest version of Tomcat 6.
>
> Cheers, Ben
>
>
> ________________________________
>
> This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. .
> ______________________________________________________________________________________
>
> www.accenture.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Patch information required
Posted by Ben Stringer <be...@burbong.com>.
On Thu, November 28, 2013 5:15 pm, kanishk.sethi@accenture.com wrote:
> Hi All,
>
Hi Kanishhk,
> We are using Apache tomcat version 6.0.26 and we need to install below
> patches on our servers to fix some Vulnerabilities.
>
> http://svn.apache.org/viewvc?view=revision&revision=958911
> http://svn.apache.org/viewvc?view=revision&revision=958977
> http://svn.apache.org/viewvc?view=revision&revision=959428
> http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03298151
> http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2012-05-584&actionBtn=Search
Is the Apache tomcat instance you are using bundled with the applications
above (from HP, Juniper)? If so, you should get an updated release from
those vendors, as they should have bundled a higher version of Tomcat that
resolves the issues.
You can cross-check your list of CVE vulnerabilities against Tomcat
versions at this page:
http://tomcat.apache.org/security.html
Looks like 6.0.37 is the latest version of Tomcat 6.
Cheers, Ben
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Patch information required
Posted by Martin Gainty <mg...@hotmail.com>.
I will contact all the engineers i know who want to work free for Accenture
Auf 'Wiedersehn
______________________
Verzicht und Vertraulichkeitanmerkung
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
> From: kanishk.sethi@accenture.com
> To: users@tomcat.apache.org
> CC: pravin.pawar@accenture.com
> Subject: Patch information required
> Date: Thu, 28 Nov 2013 06:15:27 +0000
>
> Hi All,
>
> We are using Apache tomcat version 6.0.26 and we need to install below patches on our servers to fix some Vulnerabilities.
>
> http://svn.apache.org/viewvc?view=revision&revision=958911
> http://svn.apache.org/viewvc?view=revision&revision=958977
> http://svn.apache.org/viewvc?view=revision&revision=959428
> http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03298151
> http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2012-05-584&actionBtn=Search
>
> I am not sure how to install these patches can anyone help us here.
>
> Regards
> Kanishk Sethi
>
> ________________________________
>
> This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. .
> ______________________________________________________________________________________
>
> www.accenture.com